Quite a lot has happened since I last posted about the security issue, and I am still trying to read up on everything that has happened. The situation has gotten worse, much worse. We are seeing very fast mutation of the attacks, with a “second generation” attack coming out one day after the first. Read on for more info.
The brief rundown: Early Decemeber 31, a patch was issued by Ilfak Guilfanov that will temporarily fix the situation. Normally, I wouldn’t suggest installed 3rd-party patches to the operating system. But all the security experts that I have read are saying that this is a must right now. For more information on the the patch, look to http://www.hexblog.com/2005/12/wmf_vuln.htm, http://www.grc.com/sn/notes-020.htm, http://www.f-secure.com/weblog/archives/archive-122005.html#00000756.
Especially look at the F-Secure link, they have a concise set of steps to take to secure your computer at the present time.
Next on the timeline, later on the 31st, the first WMF exploit worm was found.
“It was only a matter of time, the first IM-Worm exploiting the wmf vulnerability has been spotted.
We have received multiple reports from the Netherlands about an IM-Worm which spreads via MSN using a link to “http://%5Bsnip%5D/xmas-2006 FUNNY.jpg”.”
-Viruslist.com Weblog, full post at: http://www.viruslist.com/en/weblog?discuss=176892530&return=1.
This so far seemed to be an isolated event, with only about 1000 infections.
On, the 1st, an email-based attack of this exploit was found. Details can be found here: http://www.f-secure.com/weblog/archives/archive-012006.html#00000759. Be wary of emails with subjects like “Happy New Year”, and contain an image attachment of “HappyNewYear.jpg”.
That is a brief recap, follow the links posted above for a detailed explanation of the problem. If you stuck using a Windows machine, please be very carefully browsing the web, checking email, and using IM clients. The problem is very bad: even visiting the wrong website will infect your computer. I would highly suggest installing the 3rd-party patch for this problem and uninstalling it when Microsoft finally releases an official.
These are the time when I am glad to be using a Linux box.
I forgot a pretty important link on the situation. Ilfak Guilfanov also has come up with a program that checks if you are vulnerable. It only checks one variant of the problem right now, but it still better than nothing. I would highly suggest running this application as well. It can be found here: http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html
*UPDATE Number 2*
Check out the SANS blog for a complete FAQ on this situation. http://isc.sans.org/diary.php?storyid=994